I would like to mention that I tried to contact with all the vendors other times too, but nobody replied back.

Public release : 22/06/2014

Details:

It has been identified that Webmaster Platinum solar logging machine has unencrypted the CF memory card and anyone can mount the Operating System having the ability to read critical system files.

So an atacker could access the /etc/passwd and /etc/shadow files in which username and password hashes are included. The hash algorithm that is used in these files is DES. That means that the password can be consisted of a maximum of 8 chars.

Ports 21, 22 and 23 are opened by default in these systems. That makes remote attacks a serious threat for the product. Based on the default password policy that is used, attackers could bruteforce the root password hash and then they will be able to login at every solar logging machine of that vendor. In addition, a user can authenticate himself to the web interface with the default credentials given in the product's manual.

All the applications of the Operating System(Suse) are run with root privileges. This is a security risk because if a malicious user manage to exploit any of the services, he will gain root access to the system.

The main sqlite3 database file is located in /usr/local/scc/config.db3. Critical information are unencrypted such as users and hashes of the web interface(hidden users too), plaintext credentials of email server that is used for email alerts and credentials to the vendor's ftp update server.

The user of ftp update server on the remote server has write access to any directory of the ftp scope. This is a critical vulnerability that gives the opportunity to an attacker to upload malicious update files for other products too.

Recommendations:

Firstly, I would advise the company not to update the systems via FTP. The updates could be done via HTTPS.

Also, I would use obfuscation to the config.db3 file, like the perl obfuscation that is used in the main script of the system, in order to avoid data dumps.

Finally, the default credentials policy must be changed. For each device a unique password must be created and printed on the device.

Disclaimer : I won't upload any specific credential from the companies. Any actions and/or activities related to the material contained within this post is solely your responsibility. The misuse of the information in this article can result in criminal charges brought against the person in question. The author of this article will not be held responsible any criminal charges be brought against individuals misusing the information to break the law.